Paul Belanger f87608d151 Add CA service to puppetmaster.o.o for zuul
We want to start encrypting our gearman traffic for zuulv3, as such
we'll need to bring online a CA service. The idea here, is we create a
new CA for each interconnecting service we want SSL certs for.

As an example /etc/zuul-ca will be used to generate SSL certs for our
gearman service.

Change-Id: I8c341559292c78d5428fe16837f28494a76e65db
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
2017-06-16 18:27:59 +00:00

81 lines
1.7 KiB
INI

# This file is managed by puppet.
# https://git.openstack.org/cgit/openstack-infra/system-config
[ca]
default_ca = CA_default
[CA_default]
dir = .
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_md = default
preserve = no
policy = ca_policy
[ca_policy]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied
[policy_anything]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied
[req]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only
prompt = no
[req_distinguished_name]
C = US
ST = Texas
L = Austin
O = OpenStack Foundation
OU = Infrastructure
CN = $ENV::CN
emailAddress = openstack-infra@lists.openstack.org
[usr_cert]
basicConstraints = CA:FALSE
nsComment = "client certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[server]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "server certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:true